Creating ELB with certificate fails

[brandonhilkert]

I'm looking to create an AWS ELB with HTTPS listener. I've tried to manually specify the dependency. It fails when you run it once, and then succeeds the second time after the certificate is there.

Here is the failure:

Error applying plan:

1 error(s) occurred:

* aws_elb.www: Error creating ELB: CertificateNotFound: Server Certificate not found for the key: arn:aws:iam::520245715689:server-certificate/www
    status code: 400, request id: [ff77c54a-5d89-11e5-9c9c-f30ba67167c9]

provider "aws" {
    access_key = "${var.access_key}"
    secret_key = "${var.secret_key}"
    region = "${var.region}"
}

resource "aws_iam_server_certificate" "www" {
  name = "www"
  certificate_body = "${file("../ssl/www.crt")}"
  private_key = "${file("../ssl/server.key")}"
}

resource "aws_elb" "www" {
  name = "www"
  availability_zones = ["us-east-1a", "us-east-1c", "us-east-1d", "us-east-1e"]
  depends_on = ["aws_iam_server_certificate.www"]

  listener {
    instance_port = 8080
    instance_protocol = "http"
    lb_port = 80
    lb_protocol = "http"
  }

  listener {
    instance_port = 8080
    instance_protocol = "http"
    lb_port = 443
    lb_protocol = "https"
    ssl_certificate_id = "${aws_iam_server_certificate.www.arn}"
  }

  health_check {
    healthy_threshold = 2
    unhealthy_threshold = 2
    timeout = 3
    target = "HTTP:8080/status"
    interval = 30
  }

  cross_zone_load_balancing = true
  idle_timeout = 400
  connection_draining = true
  connection_draining_timeout = 400
}

Am I doing something wrong?

[james-s-nduka]

Seems like its a dependency issue between the certificate creation/deletion and elb creation/deletion. I have a similar issue where I have to run "destroy" twice in order to remove a certificate attached to an elb.

[ilijaljubicic]

seems putting
provisioner "local-exec" {
command = "sleep 10"
}

into certificate resource fixes it.

still issue exist when destroying it

[james-s-nduka]

Would be good if Terraform allowed you to specify handlers/provisioner actions when you perform a "destroy"

[farridav]

I think this issue is closely tied to #3412 .. I currently get round this issue by either applying/destroying my plan twice, or specifically targeting my certificate resource in the first run, and running the whole thing afterward e.g:-

$ terraform destroy -target=aws_iam_server_certificate.my-cert
$ terraform destroy

I have tried using depends_on, but it makes no difference, as i think the code runs in the right order, but the underlying amazon API does not return the ARN in time...

[catsby]

This should be fixed in #3898

[saliceti]

We are experiencing the same issue with terraform 0.6.9.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.